Business and the personal affairs of individuals are conducted via messaging technologies, such as emails, instant messages, and texts. In fact, more people send email messages and Short Messaging Service (SMS) messages (texts) these days than they call each other on their phones. Hackers and scammers are continually looking for ways to penetrate the devices of businesses and individuals for malicious purposes or for purposes of learning more about an individual to make a sale of some sort to that individual.
Messaging technologies have advanced over the years to the point that messages are no longer just plain text. The content of messages can include links, images, text, graphics, video, audio, and scripts that execute within the messaging clients. This has created a variety of security holes that enterprises are continually trying to thwart.
Many approaches exist in the software industry to make messaging communications more secure. One approach is to pre-scan incoming messages at the messaging server before the messages are released to the messaging clients for viewing. During pre-scan, if a high degree of security is needed, many valid messages are held in a portal that may in fact be: harmless, desired, expected, and/or needed by the recipient of those messages. The held messages are often summarized once or twice daily and sent in summary form for the recipient to decide whether to release the messages or ignore the message and let the held messages delete, in due course, from the portal. This is hardly a timely process and messages that the recipient needed to timely respond may have become stale or late, which could impact business of the recipient or reflect poorly on a reputation of the recipient.
Moreover, when the server pre-scan approach has a security setting for messages that is set too low, the recipient may inadvertently open a message that the recipient believes to be safe and unknowingly unleash a script that could install spyware or malware on the recipient's device. Still further, if links are accessed within a malicious message received in the recipient's messaging client, the recipient may unknowingly access a phishing web page and disclose confidential information about the recipient, such as passwords, users' identifiers, social security numbers, home addresses, credit card numbers, financial account numbers, and the like.
Other messaging security approaches attempt to filter and scan the messages within the messaging clients when received from the messaging servers. These approaches suffer from the same deficiencies as the pre-scan at the messaging server approach in that both approaches rely on updated virus and spyware patterns that are constantly changing in response to new threats. But, if the patterns are not available or not updated yet to the messaging client and/or messaging server, then malicious messages still end up in the recipient's messaging inbox and pose security risks to the recipient and the recipient's device.
Some approaches use both the messaging server pre-scan and the messaging client scan on recipients' messages. Again, harmful messages still find their way into the recipients' messaging clients when the predefined patterns are not yet available for recognizing those harmful messages.
In still other approaches, message servers and clients use digital signatures and/or digital certificates for verifying the authenticity of the senders of the messages. However, this is not widely deployed and in some cases incompatible with some messaging clients. Recipients want to view all legitimate messages sent to them and not just those messages where the recipients have preauthorized known senders with verifiable signatures and/or certificates. Additionally, signature/certificate approaches fail when a trusted sender is hacked and sends a malicious message.
Therefore, there is a need for improving the security of messaging technologies having more timely message processing that does not have to rely on continuously updating pattern definitions and/or validating digital signatures and/or digital certificates.